From 8fe199c66d3d2118fc45a2ffa2d994430a91da3e Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Tue, 27 Oct 2020 22:08:56 +0100 Subject: Adding hash to wireguard. --- ansible/group_vars/all/wireguard_wg0.yml | 7 +++++++ ansible/inventory | 10 ++++++---- .../plays/files/hash/etc/wireguard/public-wg0.key | 1 + ansible/roles/wireguard/tasks/main.yml | 21 +++++++-------------- 4 files changed, 21 insertions(+), 18 deletions(-) create mode 100644 ansible/plays/files/hash/etc/wireguard/public-wg0.key diff --git a/ansible/group_vars/all/wireguard_wg0.yml b/ansible/group_vars/all/wireguard_wg0.yml index 2a8f7e2..5d8e450 100644 --- a/ansible/group_vars/all/wireguard_wg0.yml +++ b/ansible/group_vars/all/wireguard_wg0.yml @@ -9,6 +9,8 @@ wireguard_wg0: peers: all # Generated by https://www.ultratools.com/tools/rangeGenerator ipv6: fdf3:aad9:a885:0b3a::1 + allowed_ips: + - ::/0 birgitte: state: present ipv4: 192.168.60.2 @@ -37,3 +39,8 @@ wireguard_wg0: android-trygvis: state: present ipv6: fdf3:aad9:a885:0b3a::12 + hash: + endpoint: hash.trygvis.io + listen_port: 51821 + peers: all + ipv6: fdf3:aad9:a885:0b3a::13 diff --git a/ansible/inventory b/ansible/inventory index 5789258..501477c 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -4,7 +4,7 @@ all: ansible_host: knot.vpn.trygvis.io ansible_python_interpreter: /usr/bin/python3 hash: - ansible_host: hash.trygvis.io + ansible_host: hash.vpn.trygvis.io numquam: ansible_host: numquam.trygvis.io birgitte: @@ -12,6 +12,7 @@ all: ansible_python_interpreter: /usr/bin/python3 arius: ansible_host: arius.trygvis.io + ansible_python_interpreter: /usr/bin/python3 mw: ansible_host: 2a01:7e00:e000:272:2ff:aaff:fe7e:46b4 homepi: @@ -22,7 +23,7 @@ all: ansible_host: conflatorio.vpn.trygvis.io ansible_python_interpreter: /usr/bin/python3 akili: - ansible_host: akili.local + ansible_host: akili.vpn.trygvis.io ansible_python_interpreter: /usr/bin/python3 nextcloud: ansible_host: 192.168.10.201 @@ -148,15 +149,16 @@ all: wireguard_wg0: hosts: akili: + android-trygvis: arius: astyanax: babypi: birgitte: conflatorio: + hash: knot: malabaricus: - sweetzpot-mobile: sweetzpot-macos: - android-trygvis: + sweetzpot-mobile: # vim: set filetype=yaml: diff --git a/ansible/plays/files/hash/etc/wireguard/public-wg0.key b/ansible/plays/files/hash/etc/wireguard/public-wg0.key new file mode 100644 index 0000000..b7736d6 --- /dev/null +++ b/ansible/plays/files/hash/etc/wireguard/public-wg0.key @@ -0,0 +1 @@ +mqWUWuINT47LoIxYHNrtdvE91nBZeqGaRfwAK1rTPHw= diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml index d05cec9..a91aea5 100644 --- a/ansible/roles/wireguard/tasks/main.yml +++ b/ansible/roles/wireguard/tasks/main.yml @@ -76,14 +76,15 @@ # {{ hostname }} [WireGuardPeer] PublicKey={{ host.public_key if host.public_key is defined else lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }} - {% if host.endpoint is defined %} - AllowedIPs={{ "0.0.0.0/0" }} - {% elif host.ipv4 is defined %} + {% if host.allowed_ips is defined %} + {% for h in host.allowed_ips %} + AllowedIPs={{ h }} + {% endfor %} + {% endif %} + {% if host.ipv4 is defined %} AllowedIPs={{ host.ipv4 }} {% endif %} - {% if host.endpoint is defined %} - AllowedIPs={{ "::/0" }} - {% elif host.ipv6 is defined %} + {% if host.ipv6 is defined %} AllowedIPs={{ host.ipv6 }} {% endif %} {% if host.endpoint is defined %} @@ -118,14 +119,6 @@ {% endfor %} {% endif %} - - name: UFW allow port - when: wg_host.listen_port is defined - tags: wireguard-config - ufw: - rule: allow - port: "{{ wg_host.listen_port }}" - proto: udp - - tags: - wireguard become: yes -- cgit v1.2.3